“Ten strikes and you're out”: Increasing the number of login attempts can improve password usability

Many users today are struggling to manage an increasing number of passwords. As a consequence, many organizations face an increasing demand on an expensive resource – the system administrators or help desks. This paper suggests that re-considering the “3- strikes” policy commonly applied to password login systems would be an immediate way of reducing this demand. We analyzed 10 weeks worth of system logs from a sample of 386 users, whose login attempts were not restricted in the usual manner. During that period, only 10% of login attempts failed. We predict that requests for password reminders could be reduced by up to 44% by increasing the number of strikes from 3 to ten

Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security

The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the 'weakest link in the security chain'. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security

Investigating loan applicants' perceptions of alternative data items and the effect of incentives on disclosure

Lenders use information about loan applicants to predict whether a person is a good or bad credit risk; however borrowers express reservations about disclosing their personal information. In this paper we describe the design of a study in which we try to identify which data items have bigger privacy costs for individuals and whether it is possible to adjust lenders' data collection procedures in order to improve the privacy of the borrowers while maintaining or improving the accuracy of risk assessment methods. We aim to explore whether consumers could be equitably encouraged to give different information than they do presently, by offering incentives for disclosures. These incentives are: an uncertain long term financial gain; a certain short term financial gain. We also explore an inequitable manipulation using peer pressure. The advantages and disadvantages of this methodological approach are also discussed

Adding insult to injury: consumer experiences of being denied credit

To inspire confidence in consumer credit and improve outcomes for consumers, negative experiences such as being denied credit must be handled appropriately. We conducted an online survey with 298 UK citizens who had a credit application denied to gain a better understanding of their experience of being denied credit. We found that privacy issues make this experience more upsetting for consumers than necessary. When being denied credit, respondents are most concerned about (1) being denied credit ‘in public’; and (2) not being informed about the reasons why they are denied. Only 23% of our respondents knew why they had been denied; 116 (62%) believed they had been denied credit because of their credit record, but 28% had never checked it. Out of the 194 respondents who had checked their record, 38 identified errors in their credit reports, and in 14 of these cases (38%) debts that they had paid off were incorrectly listed as outstanding. Based on our findings, we propose several changes to the credit application process: (1) providing sensitive but helpful information in a private manner, e.g. a preview of their credit score before they commit a loan application; (2) credit denial notifications with information on what to do next; and (3) giving applicants more information about checking their credit report and who to contact for correcting errors

Too close for comfort: A study of the effectiveness and acceptability of rich-media personalized advertising

Online display advertising is predicted to make $29.53 billion this year. Advertisers believe targeted and personalized ads to be more effective, but many users are concerned about their privacy. We conducted a study where 30 participants completed a simulated holiday booking task; each page showing ads with different degrees of personalization. Participants fixated twice as long when ads contained their photo. Participants reported being more likely to notice ads with their photo, holiday destination, and name, but also increasing levels of discomfort with increasing personalization. We conclude that greater personalization in ad content may achieve higher levels of attention, but that the most personalized ads are also the least acceptable. The noticeability benefit in using someone‟s photo to make them look at an ad may be offset by the privacy cost. As more personal data becomes available to advertisers, it becomes important that these trade-offs are considered

Federated identity to access e-government services - are citizens ready for this?

Both the US & UK government have decided that citizens will to authenticate to government using Federated Identity (FedID) solutions: governments do not want to be Identity providers (IdPs), but leverage accounts that citizens have with other service providers instead. We investigated how citizens react to their first encounter FedID authentication in this context. We performed 2 studies using low fidelity prototypes with: in study 1, 44 citizen participants, & in study 2, 22 small business owners, employees & agents. We recorded their reactions during their user journey authenticating with 3rd party providers they already had accounts with. In study 1, 50% of participants said they would not continue to use the system on reaching the hub page, & 45% believed they were being asked to make a payment. 25% of those continuing said they would stop when they reached the consent page, where they were asked by their IdP to authorise the release of their identifying information to the government service. 34% of the participants felt threatened rather than reassured by the privacy protection statement. With study 2's improved prototype, only 14% of participants said they would not continue on reaching the hub page, & 6% abandoned at the consent page. Our results show that usability & acceptance of FedID can be greatly improved by the application of standard HCI techniques, but trust in the ID Provider is essential. We finally report results from a survey of which ID providers UK citizens would trust, & found significant differences between age groups. © 2013 ACM

A mutate-and-map protocol for inferring base pairs in structured RNA

Chemical mapping is a widespread technique for structural analysis of nucleic acids in which a molecule's reactivity to different probes is quantified at single-nucleotide resolution and used to constrain structural modeling. This experimental framework has been extensively revisited in the past decade with new strategies for high-throughput read-outs, chemical modification, and rapid data analysis. Recently, we have coupled the technique to high-throughput mutagenesis. Point mutations of a base-paired nucleotide can lead to exposure of not only that nucleotide but also its interaction partner. Carrying out the mutation and mapping for the entire system gives an experimental approximation of the molecules contact map. Here, we give our in-house protocol for this mutate-and-map strategy, based on 96-well capillary electrophoresis, and we provide practical tips on interpreting the data to infer nucleic acid structure.Comment: 22 pages, 5 figure